Mars Stealer Malware Campaign Exposed by a Group of Researchers

Highlights: 

• Mars stealer extracts personal data like stored credentials and browser cookies from compromised systems.
• The stolen information by Mars Stealer from the compromised system is sold to criminal marketplaces or used as a launchpad for future attacks.

Mars, a confidential data stealer, has been noticed in campaigns that benefit from cracked malware versions of the malware to steal data saved in web browsers and crypto-wallets.

In a report published on Tuesday, Arnold Osipov, a Morphisec malware researcher, said, “Mars Stealer is being distributed via social engineering techniques, mail spam campaigns, malicious software cracks, and keygens.”

Mars stealer, which was first discovered in June 2021 and is based on Oski stealer, is said to be under continuous development. It is available for purchase on more than 47 underground forums, darknet sites, and telegram channels for only USD 160 for a lifetime subscription.

Information stealers allow adversaries to extract personal data from compromised computers, such as saved credentials and browser cookies. The stealers sell this data on criminal markets or utilize it as a launchpad for future attacks.

Since the inception of Mars stealer last year, there has been a steady increase in attack campaigns; some of them involved the use of a cracked version of the malware, which was configured in a way that exposed critical assets on the internet, unintentionally leaking information about threat actors’ infrastructure.

Moreover, what’s also notable is a campaign noticed last month that stole students, faculty members, and content creators’ passwords who had downloaded trojanized versions of legitimate applications.

Furthermore, the cybersecurity company note “identified credentials which led to the full compromise of a leading healthcare infrastructure provider in Canada and many high-profile Canadian service companies.”

Mars stealer is usually shared via spam email messages, including a compressed executable, download link, or document payload, but it is also shared through fraudulent duplicate websites, famous advertising software like OpenOffice that was pushed through google ads.

The aim is to leverage geographically targeted ads to trick potential victims looking for original software to click on a malicious site link instead, leading to malware deployment.

Mars Stealer is designed to yield and extract the browser’s autofill data, credit card data, browser extension details, including crypto wallets such as Meta mask, Coinbase Wallet, Binance Wallet, and system metadata.

As the threat actor compromised its system with the Mars Stealer during debugging, the OPSEC fault allowed the researchers to credit the campaign to a Russian speaker and disclose information about the adversary’s utilization of Giftlab and stolen credentials set google ad.

Experts view: 

“Info stealers offer an accessible entry point to criminal activity. Empower novice cybercriminals to build a reputation they can leverage to acquire more powerful malware from more sophisticated actors,” Osipov said.